How do I block this?

Discussion in 'General' started by dclardy, Jan 11, 2010.

  1. dclardy

    dclardy New Member

    How can I block these attacks?

    Code:
    Jan 11 13:23:24 server pure-ftpd: (?@205.244.148.43) [INFO] PAM_RHOST enabled. Getting the peer address
    Jan 11 13:23:26 server pure-ftpd: (?@205.244.148.43) [INFO] New connection from 205.244.148.43
    Jan 11 13:23:27 server pure-ftpd: (?@205.244.148.43) [INFO] PAM_RHOST enabled. Getting the peer address
    Jan 11 13:23:29 server pure-ftpd: (?@205.244.148.43) [WARNING] Authentication failed for user [tsinternetuser]
    Jan 11 13:23:32 server pure-ftpd: (?@205.244.148.43) [INFO] PAM_RHOST enabled. Getting the peer address
    Jan 11 13:23:34 server pure-ftpd: (?@205.244.148.43) [WARNING] Authentication failed for user [tsinternetuser]
    Jan 11 13:23:43 server pure-ftpd: (?@205.244.148.43) [INFO] PAM_RHOST enabled. Getting the peer address
    Jan 11 13:23:45 server pure-ftpd: (?@205.244.148.43) [WARNING] Authentication failed for user [tsinternetuser]
    Jan 11 13:23:56 server pure-ftpd: (?@205.244.148.43) [INFO] PAM_RHOST enabled. Getting the peer address
    Jan 11 13:23:58 server pure-ftpd: (?@205.244.148.43) [WARNING] Authentication failed for user [tsinternetuser]
    Jan 11 13:24:12 server pure-ftpd: (?@205.244.148.43) [INFO] PAM_RHOST enabled. Getting the peer address
    Jan 11 13:24:14 server pure-ftpd: (?@205.244.148.43) [WARNING] Authentication failed for user [tsinternetuser]
    Jan 11 13:24:30 server pure-ftpd: (?@205.244.148.43) [INFO] PAM_RHOST enabled. Getting the peer address
    Jan 11 13:24:32 server pure-ftpd: (?@205.244.148.43) [INFO] New connection from 205.244.148.43
    Jan 11 13:24:32 server pure-ftpd: (?@205.244.148.43) [INFO] PAM_RHOST enabled. Getting the peer address
    Jan 11 13:24:35 server pure-ftpd: (?@205.244.148.43) [WARNING] Authentication failed for user [tsinternetuser]
    Jan 11 13:24:41 server pure-ftpd: (?@205.244.148.43) [INFO] PAM_RHOST enabled. Getting the peer address
    Jan 11 13:24:42 server pure-ftpd: (?@205.244.148.43) [WARNING] Authentication failed for user [tsinternetuser]
    Jan 11 13:24:50 server pure-ftpd: (?@205.244.148.43) [INFO] PAM_RHOST enabled. Getting the peer address
    Jan 11 13:24:58 server pure-ftpd: (?@205.244.148.43) [WARNING] Authentication failed for user [tsinternetuser]
     
  2. HyperAtom

    HyperAtom New Member

    Use fail2ban
     
  3. dclardy

    dclardy New Member

    What is the configuration method needed? What do I enable?
     
  4. HyperAtom

    HyperAtom New Member

    Install fail2ban

    /etc/fail2ban/jail.conf

    Code:
    #
    # FTP servers
    #
    
    [pure-ftpd]
    
    enabled  = true
    port     = ftp
    filter   = pure-ftpd
    logpath  = /var/log/messages
    maxretry = 3
    /etc/fail2ban/filter.d/pure-ftpd.conf

    Code:
    failregex = pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]$
    Restart your fail2ban
     
  5. sergio.morales

    sergio.morales New Member

    Is this really an attack?

    Has someone been trying to exploit something I have left open? I am getting this message on my box . . .

    Dec 12 23:56:36 server1 pure-ftpd: (?@74.113.89.114) [INFO] New connection from 74.113.89.114
    Dec 12 23:56:36 server1 pure-ftpd: (?@74.113.89.114) [INFO] PAM_RHOST enabled. Getting the peer address
    Dec 12 23:56:40 server1 pure-ftpd: (?@74.113.89.114) [WARNING] Authentication failed for user [Administrator]
    Dec 12 23:56:40 server1 pure-ftpd: (?@74.113.89.114) [INFO] PAM_RHOST enabled. Getting the peer address
    Dec 12 23:56:44 server1 pure-ftpd: (?@74.113.89.114) [WARNING] Authentication failed for user [Administrator]
    Dec 12 23:56:44 server1 pure-ftpd: (?@74.113.89.114) [INFO] PAM_RHOST enabled. Getting the peer address
    Dec 12 23:56:52 server1 pure-ftpd: (?@74.113.89.114) [WARNING] Authentication failed for user [Administrator]
    Dec 12 23:56:53 server1 pure-ftpd: (?@74.113.89.114) [INFO] PAM_RHOST enabled. Getting the peer address
    Dec 12 23:56:53 server1 pure-ftpd: (?@74.113.89.114) [WARNING] Authentication failed for user [Administrator]
    Dec 12 23:56:53 server1 pure-ftpd: (?@74.113.89.114) [INFO] PAM_RHOST enabled. Getting the peer address
    Dec 12 23:57:05 server1 pure-ftpd: (?@74.113.89.114) [WARNING] Authentication failed for user [Administrator]
    Dec 12 23:57:05 server1 pure-ftpd: (?@74.113.89.114) [INFO] PAM_RHOST enabled. Getting the peer address
    Dec 12 23:57:10 server1 pure-ftpd: (?@74.113.89.114) [WARNING] Authentication failed for user [Administrator]
    Dec 12 23:57:10 server1 pure-ftpd: (?@74.113.89.114) [INFO] PAM_RHOST enabled. Getting the peer address
    Dec 12 23:57:20 server1 pure-ftpd: (?@74.113.89.114) [WARNING] Authentication failed for user [Administrator]
    Dec 12 23:57:20 server1 pure-ftpd: (?@74.113.89.114) [INFO] PAM_RHOST enabled. Getting the peer address
    Dec 12 23:57:28 server1 pure-ftpd: (?@74.113.89.114) [WARNING] Authentication failed for user [Administrator]
    Dec 12 23:57:28 server1 pure-ftpd: (?@74.113.89.114) [INFO] PAM_RHOST enabled. Getting the peer address
    Dec 12 23:57:39 server1 pure-ftpd: (?@74.113.89.114) [WARNING] Authentication failed for user [Administrator]
    Dec 12 23:57:39 server1 pure-ftpd: (?@74.113.89.114) [INFO] PAM_RHOST enabled. Getting the peer address
     
  6. falko

    falko Super Moderator

    I guess someone is trying to log into your FTP account. You should install fail2ban to block these attempts.
     
  7. sergio.morales

    sergio.morales New Member

    It is installed . . .

    I got fail2ban installed, but I am seeing a line already in this file:

    /etc/fail2ban/filter.d/pure-ftpd.conf

    similar to the one in this link. This is what it states:


    failregex = pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]\s*$


    It is slightly different . . . should I leave it in or remove it and replace it?

    sERGE
     
  8. falko

    falko Super Moderator

    If you don't see any errors in the fail2ban log in the /var/log/ directory, leave it as it is.
     

Share This Page